7/29/2019 New Trend of IDS

1/18

Southeast University

School of Cs. & Eng.2007.1

Wei WeiSchool of Computer Science and Engineering

East China (North) Regional Network Center (NENC) of CERNET

Southeast University, Nanjing, J iangsu, China 210096wwei@njnet.edu.cn

New Trend of Intrusion Detection Systemfor High-speed Networks

7/29/2019 New Trend of IDS

2/18

Southeast University

School of Cs. & Eng.2

Outline

Introduction

Related work

Our Work

Conclusion

7/29/2019 New Trend of IDS

3/18

Southeast University

School of Cs. & Eng.3

Introduction

The recent trend of high-speed networks

2004 Dataquest Stat.

14% of the links between core routers

OC-768(40 Gbps)21% of edge links OC-192(10 Gbps)

Increasingly complex intrusion detection methods

Challenging the capability of a single NIDS

7/29/2019 New Trend of IDS

4/18

Southeast University

School of Cs. & Eng.4

Introduction

Distributed architecture as an alterativeBasic idea

Components

Traffic splitting

Parallel process

Reducing load on a single node

Network tap

Traffic scatter

Traffic slicer

Switch

Stream reassembler

Channel

IDS sensor

7/29/2019 New Trend of IDS

5/18

Southeast University

School of Cs. & Eng.5

Introduction

7/29/2019 New Trend of IDS

6/18

Southeast University

School of Cs. & Eng.6

Introduction

Evaluation

Good scalability and flexibility

The back end processing system can be managed in a formof a computer cluster, whose capability highly exceeds asingle node

7/29/2019 New Trend of IDS

7/18

Southeast University

School of Cs. & Eng.7

Related Work

Two key technologies

Traffic splitting

Load balancing

7/29/2019 New Trend of IDS

8/18

Southeast University

School of Cs. & Eng.8

Related Work

Traffic Splitting principles

To distribute packets of the same attack to the same sensor

Efficient enough to keep up with the network speed

To distribute the traffic among sensors as evenly an possible

Adaptive to the variety of the network traffic

7/29/2019 New Trend of IDS

9/18

Southeast University

School of Cs. & Eng.9

Related Work

Recent traffic Splitting approaches

Mainly based on flows

Hashing the triple of a flow to a specific sensor

Some based on security policies and IDS characteristics

7/29/2019 New Trend of IDS

10/18

Southeast University

School of Cs. & Eng.10

Related Work

Load balancing

Unlike in other environments such as web servers or clustersMainly concerned with the guarantee of appropriate sensor load

much more than fairness of work distribution Assignment of load balancing in NIDS

Traffic splitterTo keep the detecting capability of sensors and easily manage the

overall systemEach senor

Choosing packets to detect based on the load balancing approach

7/29/2019 New Trend of IDS

11/18

Southeast University

School of Cs. & Eng.11

Related Work

Load balancing algorithm

How to predict overloading on nodes precisely

How to reduce the load smoothly to get a smallest packet loss rate

7/29/2019 New Trend of IDS

12/18

Southeast University

School of Cs. & Eng.12

Related Work

Improvement of the architecture

Early filtering

Locality buffering

Multiple levels of hashing

Adding an analyzing node

7/29/2019 New Trend of IDS

13/18

Southeast University

School of Cs. & Eng.13

Our work

Past workA misuse intrusion detection system-Monster 3.0

Supporting Gigabit Ethernet links traffic processing

Applied to the construction of CERNET high-speed regionalnetworks successfully

7/29/2019 New Trend of IDS

14/18

Southeast University

School of Cs. & Eng.14

Regional Backbone7609

Regional Backbone

6503

National BackboneCRS1

Wuhan Node

Shanghai Node

Beijing Node

2.5G Channel

1G Channel

100M Channel

10G Channel

7/29/2019 New Trend of IDS

15/18

Southeast University

School of Cs. & Eng.15

Our work

Our goal

A parallel IDS for high-speed networks based on thedistributed architecture

Features of the system Using common PC servers without requiring special hardware Running on high-speed networks steadily and assuring a low packet loss rate A simple and efficient splitting design to meet the demand of high speed, assign

the traffic across nodes as evenly as possible and adapt itself to the variety of thenetwork traffic

A practical dynamic load balancing scheme to achieve a proper balance betweenthe packet loss rate and the algorithm complexity

Integrating the node-issued alert messages to detect multi-object attacks on thewhole network

Providing the high level report on objective networks macroscopic security trendanalysis, response suggestions, and reactions at the same time

7/29/2019 New Trend of IDS

16/18

Southeast University

School of Cs. & Eng.16

Our work

Scatter

Reassembler

Sensor Sensor

Sensor

Analyzer

Load balancer Load balancer Load balancer Load balancer

Switch

Reassembler ReassemblerReassembler Reassembler

SensorSensor

7/29/2019 New Trend of IDS

17/18

Southeast University

School of Cs. & Eng.17

Conclusion

The parallel IDS architecture effectively resolves thecapability of process and analysis of network security forhigh-speed networks.

It has a better scalability and flexibility with ahierarchical structure.

Based on this architecture, the IDS will effectively

monitor our backbone network for security and helps usin the evaluation and forecast of network securitysituations.

7/29/2019 New Trend of IDS

18/18

Southeast University

School of Cs. & Eng.18

Questions?

Thank You